Defensive Programming in PHP

Paco Hope

August, 21st (1 day)

Trainer_Paco_HopeThis course explores measures that developers can take both from a coding and configuration perspective to secure their PHP applications.

PHP is a powerful and versatile web development platform that is widely used throughout the industry. PHP applications are generally affected by most of the same risks that affect web applications written in other languages. Although it has a lot in common with other web platforms, there are specific aspects of PHP that set it apart from the other technologies. This is also true from a risk perspective. Some PHP risks are unique or amplified by the platform.

This course highlights the features and specifics of the platform that can potentially introduce risks including (but not limited to) unsafe PHP configuration, null-byte issues, dangerous APIs, cryptography, and dynamic file inclusion issues. Once PHP features and risks are understood by the student, this course builds upon this knowledge and teaches a set of defensive programming techniques that can be followed to create secure PHP applications including in the areas of file system access, session management, authentication, input validation/output encoding, cross-site request forgery, transport security, and injection attacks.

This course is structured into modules that cover the areas of concentration for defensive programming for the PHP platform and includes code analysis and remediation exercises. The high-level topics for this course are:

  • PHP Platform Security
  • The PHP Application Risk Landscape
  • Secure Design Principles
  • Defensive Programming Techniques in PHP
  • Secure PHP Architecture and Configuration


Participants should bring their own laptop with VirtualBox software installed.

About the trainer

Author of two security books and frequent conference speaker, Paco Hope is a Principal Consultant with Cigital Ltd and has been working in the field of software security for over 12 years. The oldest PHP code he could find on his systems was dated 3 November 1999. Paco helps clients in the financial, retail, and online gaming industries build secure software by performing source code review and architectural risk analysis. He is also a member of the Application Security Advisory Board for (ISC)2, serving as a subject matter expert for the CISSP and CSSLP certifications.

For further information or questions please contact Tiago at paco _at_